CVE-2026-35599— Vikunja 安全漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-35599の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler
ソース: NVD (National Vulnerability Database)
脆弱性説明
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
算法复杂性
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Vikunja 安全漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Vikunja是Vikunja开源的一个待办事项应用程序。 Vikunja 2.3.0之前版本存在安全漏洞,该漏洞源于addRepeatIntervalToTime函数使用O(n)循环处理重复任务,可能导致通过创建特定重复任务触发数十亿次循环迭代,消耗CPU并长时间占用数据库连接。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| go-vikunja | vikunja | < 2.3.0 | - |
II. CVE-2026-35599の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-35599のインテリジェンス情報
请登录查看更多情报信息。
- Release v2.3.0 · go-vikunja/vikunja · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-35599
Same Patch Batch · go-vikunja · 2026-04-10 · 11 CVEs total
| CVE-2026-35595 | 8.3 HIGH | Vikunja Affected by Privilege Escalation via Project Reparenting |
| CVE-2026-34727 | 7.4 HIGH | Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path |
| CVE-2026-35594 | 6.5 MEDIUM | Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission |
| CVE-2026-35597 | 5.9 MEDIUM | Vikunja Affected by TOTP Brute-Force Due to Non-Functional Account Lockout |
| CVE-2026-35600 | 5.4 MEDIUM | Vikunja has HTML Injection via Task Titles in Overdue Email Notifications |
| CVE-2026-35602 | 5.4 MEDIUM | Vikunja has a File Size Limit Bypass via Vikunja Import |
| CVE-2026-35596 | 4.3 MEDIUM | Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug |
| CVE-2026-35598 | 4.3 MEDIUM | Vikunja has Missing Authorization on CalDAV Task Read |
| CVE-2026-40103 | 4.3 MEDIUM | Vikunja's Scoped API tokens with projects.background permission can delete project backgro |
| CVE-2026-35601 | 4.1 MEDIUM | Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output |
IV. 関連脆弱性
同じ製品: vikunja
- CVE-2026-40103
Vikunja's Scoped API tokens with projects.background permiss - CVE-2026-35602
Vikunja has a File Size Limit Bypass via Vikunja Import - CVE-2026-35601
Vikunja has an iCalendar Property Injection via CRLF in CalD - CVE-2026-35600
Vikunja has HTML Injection via Task Titles in Overdue Email - CVE-2026-35598
Vikunja has Missing Authorization on CalDAV Task Read
同じベンダー: go-vikunja
- CVE-2026-40103
Vikunja's Scoped API tokens with projects.background permiss - CVE-2026-35602
Vikunja has a File Size Limit Bypass via Vikunja Import - CVE-2026-35601
Vikunja has an iCalendar Property Injection via CRLF in CalD - CVE-2026-35600
Vikunja has HTML Injection via Task Titles in Overdue Email - CVE-2026-35598
Vikunja has Missing Authorization on CalDAV Task Read
同じ弱点: CWE-407
- CVE-2026-45186
libexpat<2.8.1 XML输入拒绝服务漏洞 - CVE-2026-42245
net-imap: Quadratic complexity when reading response literal - CVE-2026-43967
Quadratic fragment-name uniqueness check causes denial of se - CVE-2026-40476
graphql-php: Denial of Service via quadratic complexity in O - CVE-2026-6042
musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic c
V. CVE-2026-35599へのコメント
まだコメントはありません